ENT-1663 - Inclusion of the cert path and root cert in the exception message when cert path validation fails. (#2890)

Also, added check to node startup that --initial-registration cannot occur in devMode

node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt

@@ -104,7 +104,18 @@ object X509Utilities {
     fun validateCertPath(trustedRoot: X509Certificate, certPath: CertPath) {
         val params = PKIXParameters(setOf(TrustAnchor(trustedRoot, null)))
         params.isRevocationEnabled = false
-        CertPathValidator.getInstance("PKIX").validate(certPath, params)
+        try {
+            CertPathValidator.getInstance("PKIX").validate(certPath, params)
+        } catch (e: CertPathValidatorException) {
+            throw CertPathValidatorException(
+                    """Cert path failed to validate against root certificate.
+Reason: ${e.reason}
+Offending cert index: ${e.index}
+Cert path: $certPath
+
+Root certificate:
+$trustedRoot""", e, certPath, e.index)
+        }
     }
 
     /**

node/src/main/kotlin/net/corda/node/ArgsParser.kt

@@ -4,7 +4,6 @@ import com.typesafe.config.ConfigFactory
 import joptsimple.OptionParser
 import joptsimple.util.EnumConverter
 import joptsimple.util.PathConverter
-import net.corda.core.internal.CertRole
 import net.corda.core.internal.div
 import net.corda.core.internal.exists
 import net.corda.node.services.config.ConfigHelper
@@ -99,18 +98,23 @@ data class CmdLineOptions(val baseDirectory: Path,
                           val help: Boolean,
                           val loggingLevel: Level,
                           val logToConsole: Boolean,
-                          val nodeRegistrationConfig: NodeRegistrationOption?,
+                          val nodeRegistrationOption: NodeRegistrationOption?,
                           val isVersion: Boolean,
                           val noLocalShell: Boolean,
                           val sshdServer: Boolean,
                           val justGenerateNodeInfo: Boolean,
                           val bootstrapRaftCluster: Boolean) {
     fun loadConfig(): NodeConfiguration {
-        val config = ConfigHelper.loadConfig(baseDirectory, configFile, configOverrides = ConfigFactory.parseMap(
-                mapOf("noLocalShell" to this.noLocalShell)
-        )).parseAsNodeConfiguration()
-        if (nodeRegistrationConfig != null) {
-            requireNotNull(config.compatibilityZoneURL) { "Compatibility Zone URL (compatibilityZoneURL) must be present in node configuration file in registration mode." }
+        val config = ConfigHelper.loadConfig(
+                baseDirectory,
+                configFile,
+                configOverrides = ConfigFactory.parseMap(mapOf("noLocalShell" to this.noLocalShell))
+        ).parseAsNodeConfiguration()
+        if (nodeRegistrationOption != null) {
+            require(!config.devMode) { "registration cannot occur in devMode" }
+            requireNotNull(config.compatibilityZoneURL) {
+                "compatibilityZoneURL must be present in node configuration file in registration mode."
+            }
         }
         return config
     }

node/src/main/kotlin/net/corda/node/internal/NodeStartup.kt

@@ -104,9 +104,9 @@ open class NodeStartup(val args: Array<String>) {
         try {
             banJavaSerialisation(conf)
             preNetworkRegistration(conf)
-            if (cmdlineOptions.nodeRegistrationConfig != null) {
+            if (cmdlineOptions.nodeRegistrationOption != null) {
                 // Null checks for [compatibilityZoneURL], [rootTruststorePath] and [rootTruststorePassword] has been done in [CmdLineOptions.loadConfig]
-                registerWithNetwork(conf, cmdlineOptions.nodeRegistrationConfig)
+                registerWithNetwork(conf, cmdlineOptions.nodeRegistrationOption)
                 return true
             }
             logStartupInfo(versionInfo, cmdlineOptions, conf)

node/src/test/kotlin/net/corda/node/ArgsParserTest.kt

@@ -37,7 +37,7 @@ class ArgsParserTest {
                 help = false,
                 logToConsole = false,
                 loggingLevel = Level.INFO,
-                nodeRegistrationConfig = null,
+                nodeRegistrationOption = null,
                 isVersion = false,
                 noLocalShell = false,
                 sshdServer = false,
@@ -136,9 +136,9 @@ class ArgsParserTest {
         X509KeyStore.fromFile(truststorePath, "dummy_password", createNew = true)
         try {
             val cmdLineOptions = parser.parse("--initial-registration", "--network-root-truststore", "$truststorePath", "--network-root-truststore-password", "password-test")
-            assertNotNull(cmdLineOptions.nodeRegistrationConfig)
-            assertEquals(truststorePath.toAbsolutePath(), cmdLineOptions.nodeRegistrationConfig?.networkRootTrustStorePath)
-            assertEquals("password-test", cmdLineOptions.nodeRegistrationConfig?.networkRootTrustStorePassword)
+            assertNotNull(cmdLineOptions.nodeRegistrationOption)
+            assertEquals(truststorePath.toAbsolutePath(), cmdLineOptions.nodeRegistrationOption?.networkRootTrustStorePath)
+            assertEquals("password-test", cmdLineOptions.nodeRegistrationOption?.networkRootTrustStorePassword)
         } finally {
             Files.delete(truststorePath)
         }

testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt

@@ -246,7 +246,8 @@ class DriverDSLImpl(
                 configOverrides = configOf(
                         "p2pAddress" to "localhost:1222", // required argument, not really used
                         "compatibilityZoneURL" to compatibilityZoneURL.toString(),
-                        "myLegalName" to providedName.toString())
+                        "myLegalName" to providedName.toString(),
+                        "devMode" to false)
         ))
 
         config.corda.certificatesDirectory.createDirectories()